From rick Mon Jan 19 06:42:05 1998
Return-Path:
Received: (from rick@localhost)
by hugin.imat.com (8.8.8/8.8.8) id GAA18573;
Mon, 19 Jan 1998 06:34:56 -0800
From: Rick Moen
Message-Id: <199801191434.GAA18573@hugin.imat.com>
Subject: Improvements at hugin
To: alicem@hugin.imat.com (Alice Mercer), wot@hugin.imat.com,
cydny@hugin.imat.com (Cydny Fire Eisner),
duncan@substance.com (Duncan MacKinnon),
jbpuig@hugin.imat.com (Joseph B. Puig III),
mikeh@hugin.imat.com (Mike Higashi),
sheaffer@hugin.imat.com (Robert Sheaffer)
Date: Mon, 19 Jan 1998 06:34:55 -0800 (PST)
Content-Type: text
Status: RO
I just fixed a bunch of things.
1. Installed quite a lot of update packages to Red Hat 4.2, including
perl 5.004 (security fix), elm 2.4.25 rev. 8, lynx 2.7.1 rev. 8,
ncftp 2.4.2 rev. 4, and quite a number of others, which you'll find
among the files in /usr/local/src/installed/.
2. New Apache 1.2.5. Now runs as user & group "httpd", rather than "nobody".
You'll see new generic icons in /usr/local/etc/httpd/icons/, reachable
in "http://" references as directory /icons/. Logs in /var/log/httpd/
will now be properly aged by the logrotate facility. Also put in a newer
version of the ftp daemon (another security fix).
3. Sendmail 8.8.8, with extensive anti-spam filtering. Mail from hosts/
domains, e-mail addresses, and IP addresses listed in /etc/mail/deny
will now be rejected, systemwide. Also, hugin will no longer relay
e-mail. (That is, mail originating from another host will no longer
be accepted if it's addressed to a non-hugin address.)
4. In case anyone else cares, I've compiled & installed the very latest
tin v. 1.4 beta (newsreader).
5. Compiled and installed pgp 5.0 (international), beta 8a.
6. Compiled and installed ssh v. 1.2.21. We are once again running
sshd (the ssh daemon), and offer all ssh client services (such as scp).
7. Compiled and installed HSC v. 0.915 and SP 1.2 (HTML/SGML
preprocessors).
8. Configured and installed file-upload.cgi in /usr/local/etc/httpd/cgi-bin.
You'll find a test script for it in
/usr/local/etc/httpd/html/waygate/upload.html. Haven't checked it, yet.
Similarly, there's a "man.cgi" script that's said to give Web-based
access to system "man" pages. Haven't tested that, either.
9. Installed support for Network Time Protocol (as a client).
10. Repaired dangling symlinks throughout the system, and converted
them to relative directory references, where they used absolute paths.
As always, if you see anything wrong, please let me know.
--
Cheers, The Viking's Reminder:
Rick Moen Pillage first, _then_ burn.
rick (at) hugin.imat.com
From rick Tue Sep 14 02:13:52 1999
Received: (from rick@localhost)
by hugin.imat.com (8.9.3/8.9.3/Debian/GNU) id BAA09066;
Tue, 14 Sep 1999 01:13:17 -0700
Date: Tue, 14 Sep 1999 01:13:17 -0700
From: Rick Moen
To: Alice Mercer , Robert Sheaffer , Anson Kennedy ,
Duncan MacKinnon , Richard Couture ,
Bill Garrett , "Joseph B. Puig III" , Doug Lym ,
"Viren R. Shah" , Cydny Fire Eisner ,
Karl-Johan Noren , Matthew Hunter , Don Marti ,
Kate Talbot , Terry Preston , "R.M. Boye" ,
Mike Higashi , "P. Korda" , Nick Moffitt ,
Hironori Sato , Hiroyuki Nishimura ,
Deirdre Saoirse , John Mark Walker ,
Ed Tast , Nicole Harrington
Subject: Hello, ssh & scp. Goodbye, telnet and (non-anonymous) ftp
Message-ID: <19990914011316.E8674@hugin.imat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
X-WebTV-Stationery: Standard; BGColor=black; TextColor=black
X-fnord: +++ath
X-CABAL: There is no CABAL.
X-CABAL-URL: There is no http://linuxmafia.com/cabal/
X-Eric-Conspiracy: There is no conspiracy.
X-Eric-regex-matching: There are no stealth members of the conspiracy.
Status: RO
Content-Length: 4441
Lines: 124
Greetings, O Users.
You're about to make the acquaintance of ssh (secure sh=shell -- a secure
replacement for telnet) and scp (secure cp=copy -- a secure replacement
for ftp & rcp).
Why? Because I'm disabling all incoming telnet and ftp connections
(except for anonymous incoming ftp). For security reasons.
Any time you open a telnet or ftp connection, you send your password
in plaintext across the open Internet, allowing people sniffing
passwords to effortlessly log your password and then pretend to be you.
So, I am closing off those protocols (in-bound), on this system.
You will (or may) need new client software. Ordinary telnet clients
will not do ssh, and ordinary ftp clients will not do scp. A complete
list of such software is at
http://linuxmafia.com/pub/linux/security/ssh-clients
A few obvious choices:
UNIX PLATFORMS (Linux, *BSD, etc.):
SSH -- ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.27.tar.gz or
http://linuxmafia.com/pub/linux/security/ssh-1.2.27.tar.gz
(Heck, if you're on Unix, you probably already have it.)
Licence: Effectively free. Distributed as source code, sometimes
also as binaries.
MICROSOFT WIN32 PLATFORMS (Win9x, WinNT):
Chaffee SSH -- ftp://ftp.cs.hut.fi/pub/ssh/contrib/
ssh-1.2.22-Win32-Beta1.zip
...requires Cygnus-GNUWin32 DLLS from
ftp://sourceware.cygnus.com/pub/cygwin/latest/usertools.exe
Licence: Effectively free. Binary or source.
MACINTOSH OS:
NiftyTelnet SSH --
http://www.lysator.liu.se/~jonasw/download/niftytelnet-1.1-ssh-r3.hqx
Licence: Free-usage, no charge. Binary only.
All three of the above support _both_ ssh (remote shell) and scp
(file copying between machines). Other clients on the list at
http://linuxmafia.com/pub/linux/security/ssh-clients sometimes do
only ssh, not scp.
SSH clients are available for: Java, MacintoshOS, PalmOS, Unix, VMS,
Win32, and WinCE.
Anticipated Questions
---------------------
Q: Does this mean I have to _buy_ new software?
A: No. The zero-cost ssh/scp client packages work just fine.
(So do the payware proprietary ones, such as F-Secure SSH.)
Q: How about for Windows 3.x?
A: Run the Java client inside 16-bit Netscape for Windows.
Q: scp doesn't allow me to view directories the way ftp does!
A: So, open a second window, ssh here in that window, and do
a directory listing in _that_. ("ls -al")
Q: But what if I'm visiting a machine that doesn't have an
ssh client?
A: Install one. Open your Web browser to
http://linuxmafia.com/pub/linux/security/, and browse the
"ssh-clients" listing to find a suitable client package.
Q: But what if they won't let me install software?
A: Then you lose. Suggest they join the 20th century before
it's over.
Q: Are you going to remove the telnet and ftp _clients_ from
your system?
A: No. I'm just disabling the servers for _incoming_ telnet
and (non-anonymous) ftp connections. Outgoing is unaffected.
Q: Why is anonymous ftp OK, but all other ftp is bad?
A: As with regular ftp, anonymous ftp transmits a password in
plaintext, but that password has no security significance.
(By convention, it's the user's e-mail address.) The bad
guys can sniff and log those all they want.
Q: How do I run an ssh/scp _server_ on my end?
A: On Unix, get and install ssh 1.2.27. Otherwise, I have no idea.
Q: What's the syntax for command-line ssh and scp?
A: (Note that for some ssh or scp clients, such as PuTTY for
MS Windows and NiftyTelnet SSH for Macintosh OS, this is
irrelevant because they're GUI programs.) Like this:
ssh username@linuxmafia.com
scp localfile username@linuxmafia.com:[directorypath][/remotefilename]
Q: Are you doing this just to make my life complicated.
A: No, that's just a fringe-benefit. (Actually, it's necessary for
some semblance of system security.)
Q: Isn't the POP3 protocol equally a problem because of plaintext
passwords?
A: Regular POP3 is. APOP (Advanced POP) isn't, and I'll be migrating
towards that, soon.
Q: Is there anything else I can or should do to help.
A: Yes! FOR CRYING OUT LOUD, _don't_ use the same password
here as on other systems. OK?
I'm sure y'all will have more questions. Feel free to hit me
with 'em.
--
Cheers, Linux: It is now safe to turn on your computer.
Rick Moen
rick (at) linuxmafia.com
From rick Thu Sep 2 16:28:58 1999
Received: (from rick@localhost)
by hugin.imat.com (8.9.3/8.9.3/Debian/GNU) id QAA16656
for tpreston; Thu, 2 Sep 1999 16:28:57 -0700
Date: Thu, 2 Sep 1999 16:28:57 -0700
From: Rick Moen
To: Terry Preston
Subject: All .GIFs must be gone by 31 Dec 1999
Message-ID: <19990902162856.G15426@hugin.imat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
X-WebTV-Stationery: Standard; BGColor=black; TextColor=black
X-fnord: +++ath
X-CABAL: There is no CABAL.
X-CABAL-URL: There is no http://linuxmafia.com/cabal/
X-Eric-Conspiracy: There is no conspiracy.
X-Eric-regex-matching: There are no stealth members of the conspiracy.
Status: RO
Content-Length: 2196
Lines: 46
As you may or may not have read, Unisys Corp. is now enforcing against
_all Web sites_ its patent on the LZW compression used in GIF images.
Sites that contain .gif images are being required to pay $5000
licence fees (unless all their .gifs were produced by Unisys-licenced
software).
Because of this, I am forced to require removal of all GIF images from
my Web server. Including yours. All must be gone by 31 December 1999,
or I will delete them on New Year's Day.
You may want to convert your images to a suitable format. "PNG" format
is best. Failing that, I use JPEG. "hugin" has a command-line tool
(gif2png) that works to convert _some_ GIF files to PNG. It always
terminates with an error ("segmentation fault"), but sometimes produces
a usable PNG image before dying.
Other useful software on Unix desktop OSes include xv and Electric Eyes.
(I used xv to convert all GIFs in hugin's main Web tree and my personal
pages.) I'm not sure what you would use on legacy Windows or Macintosh
OSes. Don't forget to change references to those files on your Web
pages!
For your convenience, following is a list of all publicly-accessible
.GIF files in your directories. All _will_ be deleted if they're
still around after year's end. (Please note that I don't care about
.GIFs you keep in directories that aren't Web-accessible.)
/home/tpreston/public_html/bulldogl.gif
/home/tpreston/public_html/images/about.gif
/home/tpreston/public_html/images/articles.gif
/home/tpreston/public_html/images/blueline.gif
/home/tpreston/public_html/images/events.gif
/home/tpreston/public_html/images/home.gif
/home/tpreston/public_html/images/leftdonk.gif
/home/tpreston/public_html/images/links.gif
/home/tpreston/public_html/images/member.gif
/home/tpreston/public_html/images/midnite.gif
/home/tpreston/public_html/images/redline.gif
/home/tpreston/public_html/images/skull2.gif
/home/tpreston/public_html/images/skulline.gif
/home/tpreston/public_html/images/starline.gif
/home/tpreston/public_html/images/tiedye.gif
/home/tpreston/public_html/images/treasure.gif
/home/tpreston/public_html/images/usflag.gif
/home/tpreston/public_html/images/welcome.gif
/home/tpreston/public_html/top10.gif
From rick Tue Jan 13 02:49:30 1998
Return-Path:
Received: (from rick@localhost)
by hugin.imat.com (8.8.5/8.8.4)
id CAA01860; Tue, 13 Jan 1998 02:49:19 -0800
From: Rick Moen
Message-Id: <199801131049.CAA01860@hugin.imat.com>
Subject: Re: What's changed; what's not
To: garrett@midnight.engr.sgi.com (Bill Garrett)
Date: Tue, 13 Jan 1998 02:49:18 -0800 (PST)
Cc: sysadmins@mail.sfpcug.org, sheaffer@hugin.imat.com (Robert Sheaffer),
alicem@hugin.imat.com (Alice Mercer),
cydny@hugin.imat.com (Cydny Fire Eisner),
kjn@hugin.imat.com (Karl-Johan Noren),
mhunter@hugin.imat.com (M. Hunter),
viren@hugin.imat.com (Viren R. Shah)
In-Reply-To: <199801121734.JAA20695@midnight.engr.sgi.com> from "Bill Garrett" at Jan 12, 98 09:34:23 am
Content-Type: text
Status: RO
Content-Length: 1514
Lines: 31
Bill Garrett wrote:
> I'm unable to ftp or telnet to hugin right now (c. 9:30am, Monday).
> In both cases, the computer prompts for my name and password but
> denies access. Is this a problem remaining from hugin's troubles
> last week?
On Monday morning, hugin had hardware problems coming out its
metaphorical ears, which I noticed when I came back from the East
Bay, Monday morning. It was getting a large number of SCSI errors
whenever it tried to read its root drive (again), and, among other
things, large portions of the System V init tree were unreadable.
I took just enough time to copy /var/spool/mail/rick to another machine,
then tried a shutdown. The filesystem was so damaged that it wouldn't
even do an orderly shutdown, so I power-cycled, and the root filesystem
turned out to be so damaged that it wouldn't boot at all.
I've now switched to a different hard drive entirely, a new, short SCSI
cable, and active termination. Hugin has had to be, once again, built
from saved files, and I believe it to be back on-line.
We're still using a slow, 11-year-old SCSI adapter, because the machine's
EISA configuration is so whacked out that it won't recognise either of
my EISA SCSI adapters. Thus, the machine will be a bit slow until I
can find out how to clear the EISA CMOS, and put my EISA adapter back.
--
Cheers, The Viking's Reminder:
Rick Moen Pillage first, _then_ burn.
rick (at) hugin.imat.com